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Field of the Invention 

This invention relates to a method for XZ-Elliptic Curve Cryptography and more 
particularly to a method for encrypting and decrypting a message bit string using a group 
of points on an elliptic curve over a finite field and wherein the group of points of the 
elliptic curve are defined over additions in projective coordinates. 

Background for the Invention 

Cryptography provides methods of providing privacy and authenticity for remote 
communications and data storage. Privacy is achieved by encryption of data, usually 
using the techniques of symmetric cryptography (so called because the same 
mathematical key is used to encrypt and decrypt the data). Authenticity is achieved by the 
functions of user identification, data integrity, and message non-repudiation. These are 
best achieved via asymmetric (or public-key) cryptography. 

In particular, public-key cryptography enables encrypted communication between 
users that have not previously established a shared secret key between them. This is most 
often done using a combination of symmetric and asymmetric cryptography: public-key 
techniques are used to establish user identity and a common symmetric. key, and a 
symmetric encryption algorithm is used for the encryption and decryption of the actual 
messages. The former operation is called key agreement. Prior establishment is necessary 
in symmetric cryptography, which uses algorithms for which the same key is used to 
encrypt and decrypt a message. Public-key cryptography, in contrast, is based on key 
pairs. A key pair consists of a private key and a public key. As the names imply, the 
private key is kept private by its owner, while the public key is made public (and 
typically associated to its owner in an authenticated manner). In asymmetric encryption, 
the encryption step is performed using the public key, and decryption using the private 
key. Thus the encrypted message can be sent along an insecure channel with the 
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assurance that only the intended recipient can decrypt it. 

The key agreement can be interactive (e.g., for encrypting a telephone 
conversation) or non-interactive (e.g., for electronic mail). 

User identification is most easily achieved using what are called identification 
protocols. A related technique, that of digital signatures, provides data integrity and 
message non-repudiation in addition to user identification. 

The public key is used for encryption or signature verification of a given message, 
and the private key is used for decryption or signature generation of the given message. 

The use of cryptographic key pairs was disclosed in U.S. Pat. No. 4,200,770, 
entitled "CRYPTOGRAPHIC APPARATUS AND METHOD." U.S. Pat. No. 4,200,770 
also disclosed the application of key pairs to the problem of key agreement over an 
insecure communication channel. The algorithms specified in this U.S. Pat. No. 
4,200,770 relies for their security on the difficulty of the mathematical problem of 
finding a discrete logarithm. U.S. Pat. No. 4,200,770 is hereby incorporated herein its 
entirety by reference. 

In order to undermine the security of a discrete-logarithm based crypto algorithm, 
an adversary must be able to perform the inverse of modular exponentiation (i.e., a 
discrete logarithm). There are mathematical methods for finding a discrete logarithm 
(e.g., the Number Field Sieve), but these algorithms cannot be done in any reasonable 
time using sophisticated computers if certain conditions are met in the specification of the 
crypto algorithm. 

In particular, it is necessary that the numbers involved be large enough. The larger 
the numbers used, the more time and computing power is required to find the discrete 
logarithm and break the cryptograph. On the other hand, very large numbers lead to very 
long public keys and transmissions of cryptographic data. The use of very large numbers 
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also requires large amounts of time and computational power in order to perform the 
crypto algorithm. Thus, cryptographers are always looking for ways to minimize the size 
of the numbers involved, and the time and power required, in performing the encryption 
and/or authentication algorithms. The payoff for finding such a method is that 
cryptography can be done faster, cheaper, and in devices that do not have large amounts 
of computational power (e.g., hand-held smart-cards). 

A discrete-logarithm based crypto algorithm can be performed in any 
mathematical setting in which certain algebraic rules hold true. In mathematical 
language, the setting must be a finite cyclic group. The choice of the group is critical in a 
cryptographic system. The discrete logarithm problem may be more difficult in one group 
than in another for which the numbers are of comparable size. The more difficult the 
discrete logarithm problem, the smaller the numbers that are required to implement the 
crypto algorithm. Working with smaller numbers is easier and faster than working with 
larger numbers. Using small numbers allows the cryptographic system to be higher 
performing (i.e., faster) and requires less storage. So, by choosing the right kind of group, 
a user may be able to work with smaller numbers, make a faster cryptographic system, 
and get the same, or better, cryptographic strength than from another cryptographic 
system that uses larger numbers. 

1.1 Elliptic Curves & Cryptography 

The groups referred to above come from a setting called finite fields. Methods of 
adapting discrete-logarithm based algorithms to the setting of elliptic curves are known. 
However, finding discrete logarithms in this kind of group is particularly difficult. Thus 
elliptic curve-based crypto algorithms can be implemented using much smaller numbers 
than in a finite-field setting of comparable cryptographic strength. Thus the use of elliptic 
curve cryptography is an improvement over finite-field based public-key cryptography. 

In practice, an Elliptic Curve group over Fields F(p) is formed by choosing a pair 
of a and b coefficients, which are elements within F(p). The group consists of a finite set 
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of points P(x,y) which satisfy the elliptic curve equation 

F( x ,y) = y 2 -x 3 -ax-b = 0 1.1 

together with a point at infinity, O. The coordinates of the point, x and y, are 
elements of F(p) represented in N-bit strings. In what follows, a point is either written as 
a capital letter, e.g. P, or as a pair in terms of the affine coordinates, i.e. (x,y). 

The Elliptic Curve Cryptosystem relies upon the difficulty of the Elliptic Curve 
Discrete Logarithm Problem (ECDLP) to provide its effectiveness as a cryptosystem. 
Using multiplicative notation, the problem can be described as: given points B and Q in 
the group, find a number k such that B k =Q; where k is called the discrete logarithm of Q 
to the base B. Using additive notation, the problem becomes: given two points B and Q in 
the group, find a number k such that kB=Q. 

In an Elliptic Curve Cryptosystem, the large integer k is kept private and is often 
referred to as the secret key. The point Q together with the base point B are made public 
and are referred to as the public key. The security of the system, thus, relies upon the 
difficulty of deriving the secret k, knowing the public points B and Q. The main factor 
that determines the security strength of such a system is the size of its underlying finite 
field. In a real cryptographic application, the underlying field is made so large that it is 
computationally infeasible to determine k in a straightforward way by computing all the 
multiples of B until Q is found. 

The core of the elliptic curve geometric arithmetic is an operation called scalar 
multiplication which computes kB by adding together k copies of the point B. The scalar 
multiplication is performed through a combination of point-doubling and point-addition 
operations. The point-addition operation adds two distinct points together and the point- 
doubling operation adds two copies of a point together. To compute, for example, 1 1 
B=(2*(2*(2B)))+2B=Q, it would take 3 point-doublings and 2 point-additions. 
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Addition of two points on an elliptic curve is calculated as follows. When a 
straight line is drawn through the two points, the straight line intersects the elliptic curve 
at a third point. The point symmetric to this third intersecting point with respect to the x- 
axis is defined as a point resulting from the addition. 

Doubling a point on an elliptic curve is calculated as follows. When a tangent line 
is drawn at a point on an elliptic curve, the tangent line intersects the elliptic curve at 
another point. The point symmetric to this intersecting point with respect to the x-axis is 
defined as a point resulting from the doubling. 

Table 1 illustrates the addition rules for adding two points (x l9 y x ) and (x 2 ,y 2 ) , 

that is, 

(W3) = (Wl) + (W2> 12 



Table 1 : Summary of Addition Rules: (x 3 , y 3 ) = (x, , y x ) + (x 2 , y 2 ) 



General Equations 


;t 3 = m 2 —x 2 - 
y^m (x 3 -x i ) + y ] 


Point Addition 




Point Doubling (x 3 , y 3 ) = 2(jc, , y x ) 


3*, 2 - a 
m = — ! 


{x 2 ,y 2 ) = -{x l ,y l ) 


(x 3 ,y 3 ) = (x l ,y l ) + (-(x 2 ,y 2 )) = 0 


(x 2 ,y 2 ) = 0 


(x 3 ,y 3 ) = (x ] ,y l )+0 = (x l ,y ] ) 


~(Wi) 


=(x l ,-y l ) 







1.2 Overview of Elliptic Curve Encryption and Decryption 

Given a message point (x m , y m ) , a base point (x B >y B ), and a given key, k, the cipher 
point (x c ,y c ) is obtained using the following equation, 
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(*c>yc) = ( x m >y m 



) + k(x B ,y B ) 



1.3 



There are two basics steps in the computation of the above equations. The first is to find 
the scalar multiplication of the base point with the key, "k(x B , y B )" . The resulting point 
is then added to the message point, (x m ,y m ) to obtain the cipher point. 

At the receiver, the message point is recovered from the cipher point which is usually 
transmitted, the shared key and the base point, that is 



1.3 Embedding Message Data on Elliptic Curve Points 

As indicated earlier, the x-coordinate, x m , is represented as an N-bit string. Not all 
of the N-bits are used to carry information about the data of the secret message. 

Assuming that the number of bits of the x-coordinate, x m , that do not carry data is 
L. The extra bits, L, are used to ensure that message data when embedded into the x- 
coordinate will lead to anx m value that satisfies the elliptic curve equation, equation 1.1. 

Usually, if the first guess of x m is not on a curve, then the second or third try is. This was 

first proposed in "N. Kobltiz, Introduction to Elliptic Curve and Modular Forms, New 
York: Springer-Verlag 1993". 

Therefore the number of bits used to carry the bits of the message data is (N-L). 
Assuming that the secret data is an M-bit string. The number of elliptic curve points 



( x m >y m ) = ( x c>yc)- k ( x B > y B ) 



1.4 
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It is important to note that the y-coordinate, y m , of the message point carries no 
data bits. 

L4 Attacks 

The difficulty in solving the elliptic curve discrete logarithm problem has been 
established theoretically while information associated with secret information such as the 
private key or the like may leak out in cryptographic processing in real mounting. Thus, 
there has been proposed an attack method of so-called power analysis in which the secret 
information is decrypted on the basis of the leak information. 

An attack method in which change in voltage is measured in cryptographic 
processing using secret information such as DES (Data Encryption Standard) or the like, 
so that the process of the cryptographic processing is obtained and the secret information 
is inferred on the basis of the obtained process is disclosed in P. Kocher, J. Jaffe and B. 
Jun Differential Power Analysis, Advances in Cryptology: Proceedings of CRYPTO '99, 
LNCS 1666, Springer-Verlag, (1999) pp. 388-397. This attack method is called DPA 
(Differential Power Analysis). 

An elliptic curve cryptosystem to which the above-mentioned attack method is 
applied is disclosed in J. Coron, Resistance against Differential Power Analysis for 
Elliptic Curve Cryptosystems, Cryptographic Hardware and Embedded Systems: 
Proceedings of CHES '99, LNCS 1717, Springer-Verlag, (1999) pp. 292-302. In the 
elliptic curve cryptosystem, encryption, decryption, signature generation and signature 
verification of a given message have to be carried out with elliptic curve operations. 
Particularly, calculation of scalar multiplication on an elliptic curve is used in 
cryptographic processing using a scalar value as secret information. 

As one of the measures against DPA attack on elliptic curve cryptosystems, a 
method using randomized projective coordinates is known. This is a measure against an 
attack method of observing whether a specific value appears or not in scalar 
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multiplication calculation, and inferring a scalar value from the observing result. That is, 
by multiplication with a random value, the appearance of such a specific value is 
prevented from being inferred. 

In the above-mentioned background-art elliptic curve cryptosystem, attack by 
power analysis such as DPA or the like was not taken into consideration. Therefore, to 
relieve the attack by power analysis, extra calculation, or the like, other than necessary 
calculation had to be carried out in cryptographic processing using secret information so 
as to weaken the dependence of the process of the cryptographic processing and the 
secret information on each other. Thus, time required for the cryptographic processing 
increased so that cryptographic processing efficiency was lowered conspicuously in a 
computer such as an IC card, or the like, which was slow in calculation speed, a server 
managing an enormous number of cryptographic processes, or the like. In addition, the 
dependence of cryptographic processing process and secret information on each other 
cannot be cut off perfectly. In addition, if priority was given to the cryptographic 
processing efficiency, the cryptosystem was apt to come under attack by power analysis 
so that there was a possibility that secret information leaks out 

1 .5 Speed of Computations 

With the development of information communication networks, cryptographic 
techniques have been indispensable elements for concealment or authentication about 
electronic information. Speeding up is demanded along with the security of the 
cryptographic techniques. The elliptic curve discrete logarithm problem is so difficult that 
elliptic curve cryptosystems can make key length shorter than that in RSA (Rivest- 
Shamir-Adleman) cryptosystems basing their security on the difficulty of factorization 
into prime factors. Thus, the elliptic curve cryptosystems open the way to comparatively 
high-speed cryptographic processing. However, the processing speed is not always high 
enough to satisfy smart cards which have restricted throughput or servers which have to 
carry out large volumes of cryptographic processing. It is therefore demanded to further 
speed up the processing in cryptosystems. 
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The two equations for m in Table 1 are called slope equations. Computation of a 
slope equation in integer fields requires one modular integer division. Alternatively, the 
slope computation can be computed using one modular integer inversion and one 
modular integer multiplication. Modular integer division and modular integer inversion 
are expensive computationally because they require extensive CPU cycles for the 
manipulation of two large integers modular a large prime number. Today, it is commonly 
accepted that a point-doubling and point-addition operation each requires one inversion, 
two multiplies, a square, and several additions. To date there are techniques to compute 
modular integer division and modular integer inversion, and techniques to trade 
expensive inversions for multiplies by performing the operations in projective 
coordinates. 

In cases where field inversions are significantly more expensive than 
multiplication, it is efficient to implement projective coordinates. An elliptic curve 
projective point (X,Y,Z) in conventional projective (or homogeneous) coordinates 
satisfies the homogeneous Weierstrass equation, 

F(X,Y,Z) = Y 2 Z-X*-aXZ 2 -bZ 3 = 0 1.5 

X Y 

and, when Z * 0 , it corresponds to the affine point (x, y) = ( — , — ; . It turns out 

Z Z 

that other projective representations lead to more efficient implementations of the group 
operation [D.V.Chudnovsky and G.V.Chudnovsky, Sequences of numbers generated by 
addition in formal groups and new primality and factorization tests, Adv. In Appli. Math. 
Vol.7, 1987, pp3 85-434.]. In particular, the Jacobian representations where the triplets 

X Y 

(X,Y,Z) corresponds to the affine coordinates (x,y) = (—,—) whenever Z * 0 . This is 

Z 2 z 3 

equivalent to using Jacobian elliptic curve equation that is of the form, 
Fj(X,Y,Z) = Y 2 -X 3 -aXZ 4 -bZ 6 =0 1.6 
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Another commonly used projection is the Chudnovsky-Jacobian coordinates. 



In general terms, the relationship between the affine coordinates and the 

X Y 

projection coordinates can be written as (x,y) = (— , — r ) where the values of i and j 

Z Z 

depend on the choice of the projective coordinates. For example for homogeneous 
coordinates, i=l and j=l. 



It is important to note that the group addition rules are defined in the affme 
coordinates and not in any of the projective coordinates, that is, 



(^L JL) = II.) + Jj_) 17 
V , , ) K i > + K > > j) 1./ 



In other words, the computation of the coordinate values of X y , Y 3 and Z 3 are 
based on the equations in Table 1, whereby the value of Z 3 is chosen from the 
denominator of the equations in Table 1 in order to remove the division operations from 
the calculations of X 3 and Y 3 

X Y X Y x Y 

This implies that (— r,— l -) , (— ^,^r) and (-4-, — lie on the same straight 

z; z/ z i 2 z J 2 z 3 z{ * 

line, while (X x , Y x , Z x ) , (X 2 ,Y 2 ,Z 2 ) and (X 3 ,-r 3 , Z 3 ; do not lie on the same line. 

This implies that one cannot write, 
(X 3 ,Y 3> Z 3 ) = (X 1 ,Y lJ Z 1 ) + (X 2 ,Y 2 ,Z 2 ) 

when the addition, +, is defined over the affine coordinate. 
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It should be noted that defining the elliptic curve points as a group over addition 
is necessary so that equation 1.7 can be re-written as, 

7' ' 7 J 7 i ' 7>' K 7J ' 7>' 

2 2 3 3 1 1 

It is this group definition, which leads to the fact that decryption, which is 
described in equation 1.4, is in fact the reciprocal of encryption as defined in equation 
1.3. 



The use of projective coordinates circumvents the need for division in the 
computation of each point addition and point doubling during the calculation of scalar 
multiplication. Therefore, integer modular division can be avoided in the calculation of 

X Y 

scalar multiplication, y) when using projective coordinate. 

Z B Z$ 

X Y 

The last addition for the computation of the cipher point, (— f- 5 — ) , i.e. the 

Zq Z c 

X Y X Y 

addition of the two points (— ? L ,-^) and k{— can also be carried out in the 

z' m z J m z'b z$ 

chosen projection coordinate, that is 
( Xc Xc_\ ( X m Y m \ x , X B Y B 

K 7 i 9 7 J } K 7 i ' 7 J> ' 7 J } 



It should be pointed out that Z m = 1 . 

However, one division (or one inversion and one multiplication) must still be 
X 

carried out to calculate x c = — f- , since only the affine x-coordinate of the cipher point, 

Z c 

x c , is sent by the sender. 

Therefore the encryption of (N-L) bits of the secret message using elliptic curve 
encryption requires at least one division when using projective coordinates. Similarly, the 
decryption of a single message encrypted using elliptic curve cryptography also requires 
at least one division when using projective coordinates. 
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The state of elliptic curve cryptography is described in a paper by Neal Koblitz, 
Alfred Meneges and Scott Vanstone, Design, Codes and Cryptography 19 173-193 
(2000) which is incorporated herein in its entirety by reference. More recent 
developments are described in the U.S. Patent of Vanstone et al. number 6,424,712 and 
the published patent applications U.S. 2003/0059042 of Okeya et al, number 
2003/0123656 of Izu et al. and 2003/0142820 of Futa et al. all of which are incorporated 
herein by reference. An earlier patent number 4,200,770 of Hellman et al. discloses an 
earlier cryptographic apparatus and method and is also incorporated herein by reference. 

The 0059042, 0123656 and 0142820 patent applications and U.S. application 
number 6,424,712 address the issue of speeding up elliptic curve scale multiplications. 



13 



Brief Summary of the Invention 



In essence, the present invention contemplates an improved method for 
communicating securely over an insecure channel using elliptic curve cryptography. The 
improvement comprises applying projective coordinates in two stages. In a first of the 
two stages, a projective coordinate is used to embed extra message data bits in the Z 
coordinate. Then, in a second stage a projective coordinate is used to remove a division 
operation at each iteration and for randomizing the computation in order to provide a 
counter measure against differential power analysis. 

In a preferred embodiment of the invention, a method for encrypting or encoding 
and decrypting or decoding a message bit string in an information processing system is 
provided. The method includes the step of establishing an elliptic curve message point 
(X m Y m Zm) and embedding a message bit string into the elliptic curve message point. A 
shared key (k) and a base point (X b Y b Z b ) are provided and the scalier multiplication 
(XbkYbkZbk) = k (X b Y b Zb) is computed. A cipher point (X C Y C Z C ) is then computed using 
(X C Y C Z C ) = (X m Y m Z m ) + k (X b Y b Z b ). Appropriate bits of the X-coordinate, Xc and the Z- 
coordinate Z c of the cipher point (XcY c Z c ) are then sent to a receiving party and the 
shared key k and base point (X b Y b Z b ) are used in computing a scalier multiplication 
(X bk Y bk Z bk ) = k (X b Y b Z b ). Computing the message point (X m Y m Z m ) using (X m Y m Z m ) = 
(X C Y C Z C ) + (-k (X b Y b Z b )) and recovering the message bit string from X m and Zm 
completes the method. 

In the classical approach of elliptic curve cryptography, encryption and 
decryption, the message data bits are embedded in only the affine x-coordinate, x m , of 
the elliptic curve points. Furthermore, given an elliptic curve defined over F(p) that need 
N-bit for the representation of its elements, each x-coordinate, x m , carries only (N-L) bits 
of the message data bits. Therefore, at least one inversion or division over F(p), i.e. one 
modulo p inversion or division, is needed per (N-L)-bit encryption. 
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In this invention, a new approach to elliptic curve cryptography is presented 
where the encryption of more than (N-L)-bits of the message data is achieved per one 
inversion or division over F(p), i.e. per one modulo p inversion or division. 

This is achieved by defining an elliptic curve group over addition in projective 
coordinates. This allows the embedding of the data bits in both the X-coordinate and the 
Z-coordinate of the elliptic curve points, where X and Z are elements of F(p) represented 
in N-bit strings. In the new invention, the relevant bits of both the X and Z coordinates of 
the cipher point are sent to the receiver. 

At the receiving entity, the message bits are recovered from X and Z coordinates 
of the cipher point using one inversion or division over F(p), i.e. per one modulo p 
inversion or division. 

In the proposed invention, a second projective coordinate is used at the sending 
and receiving entities to eliminate the inversion or division during each addition and 
doubling operations of the scalar multiplication. In theory, up to (2N-L) bits of the 
message data can be encrypted and subsequently decrypted using one inversion or 
division. The number of multiplications, additions, and squaring needed in the new 
scheme are comparable with that needed in classical elliptic curve cryptography. 

The embedding of bits of the message data in both the X and Z coordinate of an 
elliptic curve point results in 50% saving in computational complexity while maintaining 
the same level of security. The reason is that the number of points that satisfy an elliptic 
curve equation and which can be used in the corresponding cryptosystem is proportional 
to p 2 rather than p. Hence, for the same number of embedded bits, a smaller p can be used 
when embedding in both the X and Z coordinates than when embedding only in the x- 
coordinate. This results in faster implementations and reduced power consumption. 
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Description of the Preferred Embodiments of the Invention 

3 Definition of a Set of Elliptic Curve Points represented in Projective 
Coordinate as a Group over Addition: 

It is well known that the symbol € denote set membership. 

Given a field F(p), and a & b e F(p) , we define EC 2 as the set of points (x,y) that 
satisfy the elliptic curve equation in affine coordinate, that is equation LI, where 
x & y € F(p) together with a point at infinity. 

It is shown in the above mentioned book by N. Koblitz, that using the addition 
rules defined above for the set of points EC 2 , the set EC 2 forms an abelian group over 
addition, (EC 2 , +). 

A new projection (X,Y,Z) is defined here as Ibrahim's projection, which is related 
to the affine coordinate as follows, 




3.1 



Substituting Ibrahim's projection in equation 1.1, one obtains Ibrahim's form of 
the elliptic curve equation, 

F(X,Y,Z) = Z 3 F(— t JL) = y 2 -X 3 -aXZ 2 -bZ* =0 3.2 
Z - 

z 2 

Note that if F(x,y) is non-singular, i.e. 4a 2 +27b 3 *0 , then F(X,Y,Z) is also non- 
singular. In what follows, assume non-singular elliptic curve equations. 
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The set of points EC 3 is defined as the triplets (X,Y,Z), where X t Y&ZeF( P ), 
that satisfy Ibrahim's form of the elliptic curve equation plus a point at 
infinity (Xj ,Y n Zj) and excluding the point at the origin, (0,0, 0 ) . 

Note that EC is in projective coordinates while EC is in affine coordinates. 

The addition rules for the group (EC 2 , +) can be adopted to define an additive 
binary operation, +, over EC 3 , that is for all (X ] t Y u Z x )e EC 3 and (X 2 ,Y 2 ,Z 2 )eEC\ the 
sum, 



(X 3 ,Y3,Z 3 ) = (X 1 ,Y 1 ,Z 1 ) + (X 2 ,Y 2 ,Z 2 ) 



3.3 



is also (X 3 ,Y 3t Z 3 )eEC\ 



It is shown that (EC , +) also forms a group over addition that satisfies the 
following axioms: 

(i) There exists (X /f Y ft Zj)eEC 3 such that (X J ,Z ) + (X J ,Y i ,Z i ) = (X ,Y ,Z ; forall 
(X J ,Z )eEC(K 3 ), 

(ii) For every (X ,Y ,Z )eEC 3 there exists -(X ,Y ,Z ) e EC 3 such that 
(X J 9 Z)-(X J,Z) = (X n Y n Z I ) 9 

(iii) the additive binary operation is commutative. 

(iv) the additive binary operation is associative. 

3.1 Definition of the addition rules for the Group (EC 3 , +): 

Addition of two points on an elliptic curve in projective coordinate, EC 3 , is 
calculated as follows. When a straight line is drawn through the two points of EC 3 , the 
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straight line intersects the elliptic curve in projective coordinate at a third point. The point 
symmetric to this third intersecting point with respect to the X-axis is defined as a point 
resulting from the addition. 

A straight-line equation in projective coordinates is given by, 
X-X, Y-Y, Z-Z, 

— = - = — 3.4 

X2~X, Y 2 -Yj Z 2 -Z, 

The basic rule can be formulated as follows: Draw the line that joins the two 
points to be added in the set EC 3 . Denoting the third point of intersection as (X' 3 , Y 3 , Z\ ) , 
the sum point is defined as (X 3 ,Y 3 ,Z 3 ) = (X\ -Y 3 ,z' 3 ). 

It follows from the above definition that the addition over EC 3 is commutative, 
i.e. (X 1 ,7 1 ,ZJ + (^ 2 ,y 2 ,Z 2 ) = (^ 2 ,r 2 ,Z 2 ) + (^ 1 ,F 1 ,Z 1 )forall (X x ,Y Xt Z x )eE(K 3 ) 9 
(X 2 , Y 2 , Z 2 ) e E(K 3 ) . This satisfies axiom (iii) above. 

There are four main cases that need to be considered for the computation of 
addition for (EC 3 , +): 

A. x x * X 2 

B. x x = X 2 & Zj * Z 2 

C. {X x J X ,Z X ) = (X 2 J 2 ,Z 2 ) (point doubling) 

D. X x = X 2 & Z 1 = Z 2 
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Case A: x x * X 2 

In this case, one can write, 

Y,=Y x +m y {X\-X x ) 3.5 
and 

z; =Z, + m z (X' z -X x ) 3.6 
where 

m=— — 3.7 

and 

Z, -Z, 

m z = — L 3.8 



Substituting equations 3.5 for 7 3 ' and equation 3.6 for Z\ in Ibrahim's form of the elliptic 
curve equation, equation 3.2, one obtains 

(Y x +m y (X-X x )) 2 -X 3 -aX(Z x +m 2 (X-X l )) 2 -b(Z x +m z (X-X x )f = 0 3.9 

Expanding the terms between brackets and grouping the terms with the same powers of 
X, one obtains, 

X 3 +am 2 z X z +bm]X i 

-m 2 y X 2 +2am z Z x X 2 -lam] X 2 X X +bm 2 2 Z x X 2 +2bm 2 2 Z x X 2 -2bm\X 2 X x -bm\X 2 X x 
-2m y Y x X + 2m 2 XX x +aXZ x 2 -2am z Z x XX x +am 2 z XX X 2 +2bm 2 Z x 2 X -2XX x bm 2 z Z x +bm z XZ x 2 
-Abm 2 z Z x XX x +bm]XX x 2 +2bm\XX x 2 
-Y x 2 +2m y Y x X x -m 2 y Xl + bZ\ -2bm z Z 2 x X x 
+bX x 2 m 2 z Z x -bm z X x Z x 2 +2bm 2 z Z x X 2 -bm 3 z X x 3 =0 

Any cubic equation has three roots, 

(X -x x )(X-x 2 )(X-x' 3 ) = o 3.11 

Scaling the coefficient of the term X 3 to 1 in equation 3.10, and equating the coefficient 
of the term X 2 in equations 3.10 and 3.1 1, one obtains, 



19 



X\ = \m)-2am z Z x +2am 2 z X x -lbm\Z x +3bmlX l )-X l -X 2 3.12 
or 

• 1 9 

X 3 =-(*n y -(2a + 3bm z )m z Z x + {2a+?>bm z )m 2 z X x )- X x ~X 2 3.13 

and after grouping terms to reduce the number of computations, one obtains, 

X's=\m 2 y -m z (2a + 3bm 2 )(Z } -m z X x ))- X x - X 2 3.14 
where, 

c = \ + am 2 z + bml 3.15 



Substituting for the solution of X\ , which is given in equation 3.14, in equation 3.5 one 
obtains the solution for Y\ . 

Similarly, substituting for the solution of X\ , which is given in equation 3.14, in 
equation 3.6 one obtains the solution for Z\ . 
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CaseB: X x = X 2 & Z x *Z 2 

Letting X 0 = X x = X 2 . In this case X 3 =X X =X 2 =X 0 , because the straight line is in 
the YZ-plane X 0 . 

In this case, one can write, 

Y;=Y t +n y {Z' 3 -Z x ) 3.16 

where 

Y 2 -Y x 



Substituting equation 3.16 for in Ibrahim's form of the elliptic curve equation, 
equation 3.2, and noting that X=Xo, one obtains 

(Y x + n y (Z-Z x )) 2 -Xl -aX Q Z 2 -bZ 3 = 0 3.17 

Expanding the terms between brackets and grouping the terms with the same powers of 
Z, one obtains, 



Z J ~(n l y Z l -aX 0 Z* ) + -(ln y Y x Z-ln\2Z^^ 3.18 
Any cubic equation has three roots, 

(Z -Z X )(Z-Z 2 )(Z-Z' 3 ) = 0 3.19 
Equating the coefficient of the term Z 2 in equations 3.18 and 3.19, one obtains, 
Z\=\(n 2 y -aX 0 )-Z x -Z 2 3.20 



Substituting for the solution of Z\ , which is given in equation 3.20, in equation 3.16 one 



obtains the solution for Y 3 . 
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Case C: Point Doubling, that is (X x 9 Y l9 Z x ) = (X 29 Y 29 Z 2 ) 
Letting (X Q 9 Y 09 Z o ) = (X l9 Y X9 Z } ) = (X 29 Y 29 Z 2 ) 9 that is, 
(X, 9 Y 39 Z 3 ) = 2(X o9 Y o9 Z 0 ) 

Doubling a point on an elliptic curve in projective coordinates can be defined in several 
ways. 

C. 1 When a tangent line in a XY-plane is drawn at a point on an elliptic curve, 

the tangent line intersects the elliptic curve in the projective coordinate, 
EC 3 , at another point. The point symmetric to this intersecting point with 
respect to the X-axis is defined as a point resulting from the doubling. 
Note that in this case, Z 3 =Z 0 . 

C.2 When a tangent line in aYZ-plane is drawn at a point on an elliptic curve, 

the tangent line intersects the elliptic curve in the projective coordinate, 
EC 3 , at another point. The point symmetric to this intersecting point with 
respect to the X-axis is defined as a point resulting from the doubling. 
Note that in this case, x' 3 = X 0 . 

C.3 Some form of a combination of rules C.l and C.2. The simplest is to 

perform doubling using rule C.l followed by another doubling using rule 
C.2. Another is to use the gradients in C.l and C.2 simultaneously. 



Consider case C.l and case C.2 only. 

Case C.l: In this case, Z^=Z X =Z 2 =Z 0 . The gradient of the tangent of the point 
(X 0 ,Y o9 Z 0 ) of the elliptic curve in projective coordinates in a XY-plane is given by, 

dX 2Y 0 y 

Substituting equation 3.21 for m y in equation 3.14, and noting that m z =0in this case, 
one obtains a solution for X\ , 
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X z = m 2 y - X x - X 2 



3.22 



Substituting for the solution of X\ , which is given in equation 3.22, in equation 3.5 one 
obtains the solution for K> . 



Case C.2: In this case, X 3 = X { = X 2 = X 0 . The gradient of the tangent of the point 
(X 0 ,Y o ,Z o ) of the elliptic curve in projective coordinates in a YZ-plane is given by, 

dY _ 2aX 0 Z 0 +ZbZl 

— w„ — 323 



Substituting equation 3.23 for n y in equation 3.20 one obtains a solution for Z\ , 



Z' 3 =±(n 2 y -aX 0 )-Z x -Z 2 3.24 



Substituting for the solution of Z\ , which is given in equation 3.24, in equation 3.16 one 



obtains the solution for 7 3 ' . 
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Case D X x = X 2 & Z, = Z 2 

Letting X 0 = X x = X 2 and Z 0 = Z { = Z 2 . Substituting these values directly in the 

Ibrahim form of the elliptic curve equation, equation 3.2, one obtains a quadratic equation 
for the Y-coordinate, 

Y 2 =X 3 o +aX 0 Z 2 o+bZl 3.25 
Denoting Y 0 as one of the solutions. Clearly, the other solution is -Y 0 . 

Therefore, a line perpendicular to the XZ-plane intersects EC 3 at only two points 

(X , Y ,Z ; & (X ,-Y ,Z ) e EC 3 . This clearly shows the symmetry of EC 3 about the X- 

axis and the Z-axis. Furthermore, every (X ,Y ,Z ) € EC* has a unique mirror image 

point (X -Y ,Z ) e EC* . Now, since a line joining such pairs (X J ,Z ) & 

(X -Y ,Z ) € EC 3 does not intersect with EC 3 at a third finite point, such lines are 

assumed to intersect with EC 3 at the point of infinity^ , Y f , Z 7 ) . This point at infinity is 

used to define both the inverse of a point in£C 3 and the identity point. According to the 
addition rule defined in section 3.1, one can write, 

(X J,Z ) + (X -Y,Z ) = {X I J n Z I ) 3.26 

since the third point of intersection of such lines is the point at infinity. This equation 
therefore defines a unique inverse for any point (X ,7 ,Z ) g EC 3 , 

-{X J 9 Z) = {X -Y,Z) 3.27 
Therefore equation 3.26 can be written as, 

(X J,Z )-{X J,Z ) = (X n Y n Z J ) 3.28 

One can also say that a line joining the point at infinity and any point (X J ,Z )e EC 3 , 
will intersect with EC 3 at (X ,-Y ,Z ). Therefore from the addition rule defined in 
section 3.1, one can also write, 

(X J ,Z ) + (X n Y n Z I ) = (X ,7,Z ) 3.29 

Equation 3.28 satisfies axiom (ii) while equation 3.29 satisfies axiom (i) of the Group 
(EC 3 ,+). 
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3.2 Associativity of EC 3 : 

One way of proving associativity of (EC 3 ,*) is as follows. Given particular elliptic curves 
(i.e. for particular coefficient's "a & b" and finite filed F(p), it can be shown by 
computation that any point Q e EC 3 can be uniquely written as kgP, where P is the 
generator point of the group ( EC* ,+). EC* groups based on such curves are associative, 
because any three points Q, R, S e EC 3 can be written as k Q P,k R P,k s P e EC 3 respectively 
and hence their sum (Q + R + S) = (k Q P + k R P + k s P) = (k Q +k R +k s )P can be carried out 
in any order. 



4. Second Projective Coordinate 

Each of the equations for point addition and point doublings derived for the cases 
A, B and C in section 3 require one modular inversion or division. In cases where field 
inversions or divisions are significantly more expensive than multiplication, a second 
projective coordinate is used to remove the requirement for field inversion or division 
from these equations. As shown below, the numbers of operations needed for EC 3 point 
doubling and point additions when performed in the second projective coordinate are 
comparable to those needed in EC 2 . 

Several projective coordinates can be used. 

In this invention, the homogenous projection is used as an example, 
X 

X= — 4.1.a 

y 

Y 

Y = — 4.1. b 

y 

„ z 

2 = — 4.1.c 

Y -r.i.v 



Using this projection in the Ibrahim's form of the elliptic curve equation, equation 
3.2, one obtains the Homogenous-Ibrahim elliptic curve equation, 



F(X,Y,Z,V) = V F(— ,—,—) = Y 2 V-X> -aXZ 2 -bZ 3 =0 4.2 

V V V 
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An elliptic curve projective point (X, Y f Z, V) using Homogenous-Ibrahim 
projective coordinates satisfies the Homogenous-Ibrahim elliptic curve equation, 
equation 4.2. 

When V * 0 , the Homogenous projected point (X, Y, Z> V) corresponds to the 

X Y Z 

Ibrahim-projected point, (X,Y,Z) = (—,—,—). 

Using homogenous projective coordinates, equation 3.3 can be written as, 



{X^ Y^ Z-j /^\ ^1 \ f^2 ^2 ^2 



In what follows, it is shown how the homogenous projective coordinates can be 
used to remove the need for modular inversion or division from the equations in section 
3. This is carried out for each of the Cases A, B and C. 

Case A: 

Substituting for X, Y and Z in terms of the projective coordinates in equations 
4. 1 .a-c, in equation 3.12, and noting that c = 1 + am] + bm] , one obtains, 



^ = (j?A^^ X x \ 44 

v, x xzv ~ v x v 2 

where 

*„-Wi-*iK 2 ) 4.5 

A yv =(Y 2 V l -Y t V 2 ) 4.6 

^=(Z 2 F, -Z,F 2 ) 4.7 

4. =(4 4.8 

Letting 

^3 = ^1 *2 ^^-«v 4.9 

Substituting equation 4.9 for F 3 in equation 4.4, one obtains, 

X\=X xv A xi 4.10 
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where 



Substituting for X and Y in terms of the projective coordinates in equations 4.1. a & b, in 
equation 3.5, and after some simplification, one obtains, 



Y> _y, , {Y 2 V X -Y X V 2 ) , X X V 3 
V 3 V x (X 2 V X -X X V 2 )V % 3 v x 



4.12 



Substituting equations 4.9 and 4.10 for V z and X\m equation 4.12, one obtains, 
Yi = V 2 XJ.„Y X +X yv (A x3 -V 2 A XZV X X ) 4.13 

Substituting for X and Z in terms of the projective coordinates in equations 4.1. a & c, in 
equation 3.6, and after some simplification, one obtains, 

+ W&zMll f X ' -Ml* 4 14 

V 3 V x (X 2 V X - X x V 2 )V 3 3 v x 

Substituting equations 4.9 and 4.10 for V 3 and A^in equation 4.14, one obtains, 
Z\ = K Kflx ) 4.15 



The numbers of field operations needed in equations 4.10, 4.13 & 4.15 are twenty four 
multiplications, three squaring, and ten additions. When using mixed coordinates, the 
number of multiplications can be reduced to twenty multiplications. 



Case B: 



Substituting for X, Y and Z in terms of the heterogeneous projective coordinate, 
that is equations 4.1a-c, in equation 3.20, and noting X 2 = X X =X 2 =X Q , one obtains, 

z;_l (Y 2 V X -Y X V 2 ) 2 aX x Z, Z, 
K bV x V 2 (Z 2 V x -Z x V 2 f bV x V x V 2 
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Letting, 

v 3 = v?v 2 \z 2 v x -zy 2 f 4.17 

Substituting equation 4.17 for V 3 in equation 4.16, one obtains, 

Z' 3 =jV l V 2 (Z 2 V i -Z X V 2 )A, X 4.18 
where 

A x = -ry 2 f -{ztf-zyl)\\xy 2 +zy 2 +z 2 v t )} 4.19 

Substituting for Y and Z in terms of the projective coordinates in equations 4.1 b 
& c, in equation 3.16, one obtains, 

^3 K v 3 \ v 2 (z 2 v t -zy 2 ) v x v 2 {z 2 v x -zy 2 )v/ 

Substituting equations 4.17 and 4.18 for V 3 and Z 3 in equation 4.20, one obtains, 

y; = v x v 2 \z 2 v x -zy 2 )X +(Y 2 v, -ry 2 )d A3x -zy 2 {z 2 v x -zy 2 f) 4.21 

b 

The numbers of field operations needed in equations 4.18 & 4.21 are sixteen 
multiplications, two squaring, and seven additions. 

Case C: 

Case CI: 

Substituting for X, Y and Z in terms of the projective coordinate in equations 
4.1.a-c, in equation 3.22, one obtains, 

X 3 _ QXl+aZlf X B 

y 3 ~ 4VX > ~ L y o 4.22 
Letting, 

K = 4.23 
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Substituting equation 4.23 for V 3 in equation 4.22, one obtains, 

K=2V 0 Y o D 3x 4.24 
where 

A, = {QXl+oZlf ~8V 0 Y o 2 X 0 } 4.25 



Substituting for X, Y and Z in terms of the projective coordinate in equations in 
equations 4.1a-c, in equation 3.5 and using the gradient in equation 3.21, one obtains, 



Y; _Y 0 ^Xl+aZl ( 2V 0 Y 0 D 3x X 0 V 3 ) ^ 



K K K 2V 0 Y 0 2VYV 

J 0 3 O O O O O 



Substituting equation 4.23, 4.24 and 4.25 for V 3 , X 3 and D 3x in equation 4.26, 
one obtains, 

r; = SVX ^X\+aZ]i$X\+aZ]f -12V. Y 0 2 X 0 ) 4.27 

The numbers of field operations needed in equations 4.24 & 4.27 are six 
multiplications, four squaring, and five additions. 



Case C.2: 

Substituting for X, Y and Z in terms of the projective coordinate in equations 
4.1a-c, in equation 3.24, one obtains, 



Z\ _\ {2aX 0 Z 0 +3bZlf aX a 2, 
V 3 b 4YX bV.V. 



Letting 

V 3 =BVX 4.29 
Substituting equation 4.29 for V 3 in equation 4.28, one obtains, 
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Z 3 =2V a Y 0 D 3t 



4.30 



where 

D 3t = {UlaX.Z, + 3bZ 2 o ) 2 -4^V 0 Y 2 X 0 -16V 0 Y 2 ZJ 4.31 
b b 



Substituting for X, Y and Z in terms of the projective coordinate in equations 
4.1a-c, in equation 3.16 and using the gradient in equation 3.23, one obtains, 

Y; _Y 0 { 2aX 0 Z e +lbZl Z\ Z 
V> K 2V o Y 0 \ V/ 

Substituting equations 4.29 and 4.30 for V 3 and Z\ in equation 4.32, one obtains, 

y 3 ' = SVXX +(2aX 0 Z 0 +3bZ 2 0 )(D 3z -4V 0 Y 2 Z 0 ) 4.33 

The numbers of field operations needed in equations 4.30 & 4.33 are ten 
multiplications, three squaring, and five additions. 
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5 EC 3 Elliptic Curve Cryptography: 

5.1 Symmetric EC 3 Cryptography: 

Symmetric EC 3 Cryptography is carried out as follows: 

1 Both the sending and receiving entities agree on a set EC 3 by selecting an 
elliptic curve. They also need to agree on (i) a random number, k, that will be 
the shared secret key for communication, (ii) a base point, (X B ,Y B ,Z B )e EC 3 . 

The sending entity performs the following steps, 

2 Embed the secret message bit string into the elliptic curve message point, 
( X m >Ym>Zm)-A possible method of embedding the message bits is described 
in section 5.4. 

3 Using the shared key, k, and the base point (X B , Y B , Z B ), the scalar 
multiplication (X Bk , Y Bk , Z Bk )=k(X B , Y B , Z B ) is computed. 

4 The cipher point (X c , Y c , Z c ) is computed using, 

5 The appropriate bits of the X-coordinate, X c , and the Z-coordinate, Z c , of the 
cipher point (Xc, Y c , Z c ) are sent to the receiving entity. 

At the receiving entity, the following steps are performed, 

6 Using the shared key, k, and the base point (X B , Y B , Z B ), the scalar 
multiplication (X Bk , Y Bk , Z Bk )=k(X B , Y B , Z B ) is computed. 

7 The message point (X m ,Y m ,Z m ) is computed using, 

(X m ,Y m ,Z m ) = (X c ,Y c ,Z c )+(-k(X B ,Y B ,Z B )) 

8 The secret messages bit string is recovered from X m and Z™. For more details 
see section 5.4. 

5.2 Public Key EC 3 Cryptography: 

In public key cryptography, the sending and the receiving entities use two keys. 
Each has a private key, k Pr , and a public key, (X^ , , ) = k ?T (X B ,Y B ,Z B ). The 
sending entity uses its private key and the receiver public key to perform encryption of 
the secret message bits. The receiver uses its private key and the sender's public key to 
perform decryption. 

5.3 EC 3 Digital Signature: 

All the schemes used for digital signatures that are based on the representation of 
the elliptic curve points in affine coordinates can be adopted for EC 3 digital signatures. 
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This can be achieved either directly or with some modifications that exploit the 
X-coordinate and the Z-coordinate of an elliptic curve point, when represented in 
projective coordinate, in generating a digital signature. 

A conventional elliptic curve digital signature can be basically summarized as 
follows. A more detailed description can be found in [ N.Kobltiz, A. Menezes, S. 
Vanstone, The state of Elliptic Curve Cryptography, Designs, Codes, and Cryptography, 
Vol 19, 2000, ppl73-193.]. The entity which generates a signature has a private key, k Pr , 
and a public key, (x^ ,y Pu ) = k ?r (x B 9 y B ). Given a message M, the entity generating the 
signature performs the following steps, 

1 select a random integer, k, mod p. 

2 compute (x x , y x ) = k {x B , y B ) and convert x x to an integer r mod/?. 

3 compute a message digest, digest(M), which is a bit string that is dependant on the 
message, and convert the bit string onto an integer e. 

4 compute s = k~ x (e + k ?T r) mod p 

5 signature of the message M is (r,s). 

The signature is verified at the receiving entity using the following steps, 

1 compute a message digest, digest(M), and convert the bit string onto an integer e, 

2 compute u x = es~ l mod p and u 2 = rs~ l mod p , 

3 compute (x 2 ,y 2 ) = u x (x B , y B ) + u 2 (x 

Pu>ypu)> an ^ convert x 2 into an integer v 

modp. 

4 Accept the signature if v=r. 

In one embodiment of using the X and Z coordinates for generating a digital signaurte, 
the above elliptic curve digital signature can be modified as follows. The entity which 
generates a signature has a private key, k Pr , and a public key, 
i X Pu > y pu> z pu) = Kt ( x b >Yb* Z b)- Given a message M, the entity generating the 
signature performs the following steps, 

1 select a random integer, k, mod p. 

2 compute ( X x ,Y l \Z l ) = k (X B , Y B , Z B ) , and concatenate the bit strings of X x & Z x 

together to form a single string [X x : Z, ] and convert the combined string into an integer r 
mod/?. 

3 compute a message digest, digest(M), and convert the bit string onto an integer e. 

4 compute s = k " , (e + k ?T r) mod p 

5 signature of the message M is (r,s). 

The signature is verified at the receiving entity using the following steps, 

1 compute a message digest, digest(M), and convert the bit string onto an integer e, 
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2 compute u x = es~ l mod p and u 2 = re" 1 mod /? , 

3 compute (X 2 ,Y 2> Z 2 ) = u x (X B ,Y B ,Z B ) + u 2 (X^ , 7^ , ) , and concatenate the 
bit strings of X 2 &Z 2 together to form a single string [X 2 : Z 2 ] and convert the 
combined string into an integer v modp. 

4 Accept the signature if v=r. 

5.4 Data Embedding: 

Assuming that the secret message is a M-bit string where (2N-L)>M>(N-L). The message 
string is divided into two strings mi and m 2 . The length of string mi must be no more than 
(N-L) bits, while the length of string m 2 must be no more than (N-l) bits. One 
embodiment of the embedding of the two strings can be carried out as follows: 

1 assign the value of the bit string of m2 to Z™ using the following embedding 
procedure: 

a. Assign the value of the bit string m 2 to R m . 

b. Use Legendre test to see if this value of R m has a square root. 

c. If R m has a square root, set Zm= R m , otherwise set Z m = gR m . 

2 Compute aZ 2 m and Z>Z* . 

3 Assign the value of the bit string of ml to X m . 

4 Compute T = X 3 m +(aZ 2 m )X m +(bZ 3 m ) . 

5 Use Legendre test to see if T has a square root. 

6 If T has a square root, assign one of the roots to Y m , else increment X m and go to 
step 4. 

1 It should be noted that p is usually predetermined prior to encryption, and so the 
value of g can be predetermined. 

2 When using the method above, the strings mi and m 2 can be recovered directly 
from X m and Z m respectively. An extra bit is needed to identify whether R m or gR m is 
used for Z m at the receiver. Therefore/to encode (N-l) message data bits, one needs to 
send N bits for the Z values. 

3 Any non-quadratic value in F(p) can be used for g. For efficiency, g is chosen to 
be (-1) for p 3 3mod4 and (2) for p = lmod4 . 



4 At the receiver, the process is reversed. In the case of g=2, a division by 2 is 
carried out. It should noted that diving R m by two is computed using one modulo 
addition, because 

(i) R m / 2 = ((R m - (R m ) mod 2) / 2) + (R m )mod 2 * (1/ 2) mod p , 

(ii) (R m )mod2 is the least significant bit of R m , and 
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(iii) (\/2)modp = (p + \)/2. 



6 Security of EC 3 : 

The effect of using the X-coordinate and the Z-coordinate of an elliptic curve 
point when represented in projective coordinate in the encrypting of message data bit- 
strings on the strength of elliptic curve cryptography is assessed in the following aspects: 

1 the effect on the solution of ECDLP, 

2 power analysis attacks. 

6.1 ECDLP in EC 3 : 

The apparent intractability of the following elliptic curve discrete logarithm 
problem (ECDLP) is the basis of the security of elliptic curve cryptosystems. The 
ECDLP problem can be stated as follows: given an elliptic curve defined over F(p) that 
need N-bit for the representation of its elements, an elliptic curve point (x P9 y p ) e EC 2 
defined in affine coordinates, and a point (x Q , y Q ) e EC 2 defined in affine coordinates, 
determine the integer k 9 0 < k < n - 1 , such that (x Q ,y Q ) = k(x p , y p ) provided that such 
an integer exist. In what follows, it is assumed that such an integer exists. 

The ECDLP in EC 3 can be stated as follows: given a point (X P9 Y P9 Z P ) e EC 3 
and a point (X Q y Y Q ,Z Q )e EC 3 defined in projective coordinates, find k such that 

( Xq ,Yq,Zq ) = k(X P ,Y P , Z P ) . 

All the known attacks that are used to solve the ECDLP in EC 2 are applicable to 
the solution of the ECDLP in EC 3 . The most well known attach is that of Pollard p- 
method, [J.Pollard, Monte Carlo methods for index computation mod p, Mathematic and 
Computation, Vol. 32 (1978) pp.918-924.] which has a complexity of 0(Jnnl2) , where 
a step means an elliptic curve addition [ N.Kobltiz, A. Menezes, S. Vanstone, The state of 
Elliptic Curve Cryptography, Designs, Codes, and Cryptography, Vol 19, 2000, ppl73- 
193.] 

In EC 3 , the modified Pollard p-method can be formulated as follows: find two 
points (X i9 Y i9 Z i ) = A i (X Q9 Y Q9 Z Q ) + B i k(X p ,Y P9 Z p ) and 

(X J9 Y j9 Z j ) = A j (X Q9 Y Q9 Z Q ) + B J k(X p J P9 Z p ) such that (X i9 Y i9 Z,) = (X J9 Y J9 Zj) , 

A; + A J 

and hence k = , and given that all the points are members of EC . 

d • + B . 
/ j 
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It is clear that the complexity of the Pollard p-method in EC is not less than the 
complexity of the Pollard p-method in EC 2 for the same group order. 

It should also be added that since EC 3 encryption and EC 2 encryption are 
generated by the same elliptic curve, all the analysis of the security of EC 2 cryptography 
will be applicable to the analysis of the security of EC 3 cryptography. 



6.2 Security against SPA and DPA: 

Simple and differential power analysis can be used to attack EC 3 cryptosystems in 
a similar manner in which they are used to attack EC 2 cryptosystems. 

The countermeasures that are used against simple and differential power analysis 
for EC 2 cryptosystems are also applicable for EC 3 . For example, the countermeasures 
proposed by J-S Coron, in "Resistance Against Differential Power Analysis for Elliptic 
Curve Cryptosystems, Cryptographic Hardware and Embedded Systems, Vol. 1717, 
Lecture Notes in Computer Science, pp 292-302, Springer- Verlag, 1999", can all be 
adopted as countermeasures against power analysis in EC 3 cryptosystems. As an 
example, the randomized projective coordinates method can be applied in EC 3 by 
randomizing the coordinates of the second projection, that 
is(X' ,Y' ,Z § ,V) = (X'A,Y'A,Z'A,VA) 9 where X is a random variable. 



The Legendre Symbol is used to test whether an element of F(p) has a square root or not, 
i.e. whether an element is quadratic residue or not. This implies that one does not need to 
compute the square root to check if an element has a square root or not. The Legendre 
Symbol and test is described below: 

Legendre Symbol 

Given an element of a finite field F(p), say d, the Legendre symbol is defined as (— ) . 

P 

To test whether d is quadratic residue or not, the Legendre symbol, (— ) , is used: 

p 
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A- 

P 



+ 1 i/ x u quadratic residue 
0 1/ * = OmodF(/?) 

- 1 otherwise 



While the invention has been described in connection with the preferred 
embodiments, it should be recognized that changes and modifications may be made 
therein without departing from the scope of the appended claims. 
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